Messages

For good measure,  i usually go into each interface and specify "Prevent Interface Removal"

I have had great success setting up a OPNsense firewall for each of my clients. I feel they are far better protected than any of the "business" solutions offered by the ISP.

I think this is related,  as that error is the top of what is happening here.

I highly recommend pulling back this release before more folx upgrade their production systems

https://forum.opnsense.org/index.php?topic=43474.0

Hi all

Where are we with this?

I just upgraded both, and this only happens on BE, the most up to date CE appears to be doing just fine.

It's just in my VMs. I'm glad I tried the upgrade, which both succeeded fine. I'll hang back and re-upgrade my 24.4 VM at a later time, try again and make sure it's working fine before I upgrade my main system, as well as of my subscribing clients.

Thank you

There might also be tunables like this they can coerce the Intel chip to cooperate with the modules:

hw.ix.unsupported_sfp
Force Intel driver to use unsupported SFP+ modules. Def: 0             
boot-time
Set the value to: 1

Here is a shot of a rules table

Hi All

I wanted to reach out and discuss the Cicada theme, which is a gorgeous dark mode of the stock theme.

I thought the screen brightness was more dim than usual, however, I am finding reading text a little harder unless I cut out more light in the room.

The change happened on package os-theme-cicada version 1.36, from 1.35 .

It feels like the brightness was affected globally, or like an alpha blending of 0.70 was applied against black as the background. I am not a huge fan of the graphics being all around darker, however, can we make the text a bright white, or at least like in 1.35?

Screenshots attached of BE edition (1.35) and CE 24.1.10_8 (1.36). Not shown, but a applies to CE 24.7.0_5 too.

Thanks

YFA

add an allow rule for the interface shown with the error Default deny / state violation rule

That seems more for a hardware (even if VM) question. What are you using for your VM management?

We'll check that out, or at least a 10 year, aligned with how often we renew domains etc.

something is filling up the logs very fast, I wish there was a way to see each log area and get the totals of each size.

For now you need to do the following to see which one is swelling up. Log in to the box via console, ssh, serial.

cd /var/log
du -hscx -- *

From there it will depend what you need to address, maybe you have disk issues, network card causing too many interrupts, someone is trying to break in through the firewall, you have a device constantly requesting an ipv6 address

When you see which one is largest, it will have a latest.log, dmesg, syslog etc.

You can run this to watch the log and keep refreshing even if the file is rotated:

tail -F logFile

Those should work fine and deliver on vlan. they're a bonus having some level of prioritization. I use the GS308EP series. I think the gs108 should be similar. I don't do port bonding/lagg, and these do only a more basic mode than lacp.

Then use one of those obscure systems podman, hetzner, or eurovision. I won't put my name behind obscure software.

Don't forget both protocols are very different. I'll set static reserved ipv4 addresses. for my very important devices, I'll give them a static ipv6 address. The ipv6 client presents something totally different than a simple Mac address. the ipv6 leases tries to find the ipv4 version but it's not guaranteed. Besides servers, it's not really important what ipv6 a client device has.

In your WAN interface config,  you might need to uncheck a box that says,  Only Request ipv6 route. it's in the same place as the prefix request. The address you "should" be handed starts with 2001:xxx.... That would then be a world accessible IPv6 to your FW.

For me it's not worth enabling the v6 listening side because it is a dynamic IP allocation, and my domain registrar does not yet support dynamic DNS for AAAA records, IPv6 version of a host A record.

This would be a first for something going into Bridge mode on its own. On these off the shelf devices, you usually have to manually put it Bridge mode. Once you do that, it stops being a firewall and you don't need it to be handing out addresses. The mode switch usually makes it reboot too. I had some Asus devices, and noticed the WAN/Internet port doesn't work the same way as the remaining switch ports. I would just plug the switch1 into port 1 of the WAP